Changelog
*Sourced from [bleach's changelog](https://github.com/mozilla/bleach/blob/master/CHANGES).*
> Version 3.1.1 (February 13th, 2020)
> -----------------------------------
>
> **Security fixes**
>
> * ``bleach.clean`` behavior parsing ``noscript`` tags did not match
> browser behavior.
>
> Calls to ``bleach.clean`` allowing ``noscript`` and one or more of
> the raw text tags (``title``, ``textarea``, ``script``, ``style``,
> ``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable
> to a mutation XSS.
>
> This security issue was confirmed in Bleach versions v2.1.4, v3.0.2,
> and v3.1.0. Earlier versions are probably affected too.
>
> Anyone using Bleach <=v3.1.0 is highly encouraged to upgrade.
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1615315
>
> **Backwards incompatible changes**
>
> None
>
> **Features**
>
> None
>
> **Bug fixes**
>
> None
>
> Bleach changes
> ==============
>
> Version 3.1.0 (January 9th, 2019)
> ---------------------------------
>
> **Security fixes**
>
> None
>
> **Backwards incompatible changes**
>
> None
>
> **Features**
>
> * Add ``recognized_tags`` argument to the linkify ``Linker`` class. This
> fixes issues when linkifying on its own and having some tags get escaped.
> ... (truncated)
Commits
- [`0d88dd8`](https://github.com/mozilla/bleach/commit/0d88dd83e425c4ba381d5b83fe61bfae5bbbd627) Update for v3.1.1 release
- [`996cde7`](https://github.com/mozilla/bleach/commit/996cde7a2439a2323f9c4b2567c8b8449d393351) fix bug 1615315
- [`2f210e0`](https://github.com/mozilla/bleach/commit/2f210e06baacb1015bdde9896ad465dab0ccc378) Merge pull request [#435](https://github-redirect.dependabot.com/mozilla/bleach/issues/435) from willkg/3_1_0_release
- [`ad910ce`](https://github.com/mozilla/bleach/commit/ad910ce30926f8698cf7c8f4ec8b32d00d0897b2) Update for 3.1.0 release
- [`948b745`](https://github.com/mozilla/bleach/commit/948b745af35fb19ef4dd41779eba7ba965d97db9) Merge pull request [#433](https://github-redirect.dependabot.com/mozilla/bleach/issues/433) from willkg/357-doctest
- [`245c21c`](https://github.com/mozilla/bleach/commit/245c21c3cef788dbfdb380514434497866443e87) Fix doctest failures
- [`cabd665`](https://github.com/mozilla/bleach/commit/cabd665db0b0a51aa4c58aac2c47bd4bf76e9c73) Merge pull request [#432](https://github-redirect.dependabot.com/mozilla/bleach/issues/432) from willkg/431-charencoding
- [`cb156cb`](https://github.com/mozilla/bleach/commit/cb156cb9054c34b817f8ed2dff92801a594b9107) Fix parsing "meta" tag with encoding attribute
- [`93a060e`](https://github.com/mozilla/bleach/commit/93a060e12138e5aeaf8627b305a918c4207b9c02) Merge pull request [#429](https://github-redirect.dependabot.com/mozilla/bleach/issues/429) from willkg/422-amp
- [`8d7fd48`](https://github.com/mozilla/bleach/commit/8d7fd48179b5020d9b1521be7b81e06648d868d3) Convert & to & as a Characters token
- Additional commits viewable in [compare view](https://github.com/mozilla/bleach/compare/v1.5...v3.1.1)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/UKPLab/elmo-bilstm-cnn-crf/network/alerts).
dependabot[bot]
commented
4 years ago
Bumps bleach from 1.5.0 to 3.1.1.
Changelog
*Sourced from [bleach's changelog](https://github.com/mozilla/bleach/blob/master/CHANGES).* > Version 3.1.1 (February 13th, 2020) > ----------------------------------- > > **Security fixes** > > * ``bleach.clean`` behavior parsing ``noscript`` tags did not match > browser behavior. > > Calls to ``bleach.clean`` allowing ``noscript`` and one or more of > the raw text tags (``title``, ``textarea``, ``script``, ``style``, > ``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable > to a mutation XSS. > > This security issue was confirmed in Bleach versions v2.1.4, v3.0.2, > and v3.1.0. Earlier versions are probably affected too. > > Anyone using Bleach <=v3.1.0 is highly encouraged to upgrade. > > https://bugzilla.mozilla.org/show_bug.cgi?id=1615315 > > **Backwards incompatible changes** > > None > > **Features** > > None > > **Bug fixes** > > None > > Bleach changes > ============== > > Version 3.1.0 (January 9th, 2019) > --------------------------------- > > **Security fixes** > > None > > **Backwards incompatible changes** > > None > > **Features** > > * Add ``recognized_tags`` argument to the linkify ``Linker`` class. This > fixes issues when linkifying on its own and having some tags get escaped. > ... (truncated)Commits
- [`0d88dd8`](https://github.com/mozilla/bleach/commit/0d88dd83e425c4ba381d5b83fe61bfae5bbbd627) Update for v3.1.1 release - [`996cde7`](https://github.com/mozilla/bleach/commit/996cde7a2439a2323f9c4b2567c8b8449d393351) fix bug 1615315 - [`2f210e0`](https://github.com/mozilla/bleach/commit/2f210e06baacb1015bdde9896ad465dab0ccc378) Merge pull request [#435](https://github-redirect.dependabot.com/mozilla/bleach/issues/435) from willkg/3_1_0_release - [`ad910ce`](https://github.com/mozilla/bleach/commit/ad910ce30926f8698cf7c8f4ec8b32d00d0897b2) Update for 3.1.0 release - [`948b745`](https://github.com/mozilla/bleach/commit/948b745af35fb19ef4dd41779eba7ba965d97db9) Merge pull request [#433](https://github-redirect.dependabot.com/mozilla/bleach/issues/433) from willkg/357-doctest - [`245c21c`](https://github.com/mozilla/bleach/commit/245c21c3cef788dbfdb380514434497866443e87) Fix doctest failures - [`cabd665`](https://github.com/mozilla/bleach/commit/cabd665db0b0a51aa4c58aac2c47bd4bf76e9c73) Merge pull request [#432](https://github-redirect.dependabot.com/mozilla/bleach/issues/432) from willkg/431-charencoding - [`cb156cb`](https://github.com/mozilla/bleach/commit/cb156cb9054c34b817f8ed2dff92801a594b9107) Fix parsing "meta" tag with encoding attribute - [`93a060e`](https://github.com/mozilla/bleach/commit/93a060e12138e5aeaf8627b305a918c4207b9c02) Merge pull request [#429](https://github-redirect.dependabot.com/mozilla/bleach/issues/429) from willkg/422-amp - [`8d7fd48`](https://github.com/mozilla/bleach/commit/8d7fd48179b5020d9b1521be7b81e06648d868d3) Convert & to & as a Characters token - Additional commits viewable in [compare view](https://github.com/mozilla/bleach/compare/v1.5...v3.1.1)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/UKPLab/elmo-bilstm-cnn-crf/network/alerts).